Entangled state quantum cryptography: Eavesdropping on the Ekert protocol 
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Using polarization-entangled photons from spontaneous parametric downconversion, we have imple- 
mented Ekert's quantum cryptography protocol. The near-perfect correlations of the photons allow 
the sharing of a secret key between two parties. The presence of an eavesdropper is continually 
checked by measuring Bell's inequalities. We investigated several possible eavesdropper strategies, 
including pseudo-quantum non-demolition measurements. In all cases, the eavesdropper's presence 
was readily apparent. We discuss a procedure to increase her detectability. 

PACS numbers: 03.67.Dd, 03.65.-a, 42.79.Sz, 03.65.Bz 



The emerging field of quantum information science 
aims to use the nonclassical features of quantum systems 
to achieve performance in communications and compu- 
tation that is superior to that achievable with systems 
based solely on classical physics. For example, current 
methods of public-key cryptography base their security 
on the supposed (but unproven) computational difficulty 
in solving certain problems, e.g., finding the prime fac- 
tors of large numbers - these problems have not only 
been unproven to be difficult, but actually been shown 
to be computational "easy" in the context of quantum 
computation ffl. In contrast, it is now generally accepted 
that techniques of quantum cryptography can allow com- 
pletely secure communications between distant parties 
[||-|5| . Specifically, by using single photons to distribute a 
secret random cryptographic key, one can ensure that no 
eavesdropping goes unnoticed; more precisely, one can set 
rigid upper bounds on the possible information known to 
a potential eavesdropper, based on measured error rates, 
and use appropriate methods of "privacy amplification" 
to reduce this information to an acceptable level j(| . 

Since its discovery, quantum cryptography has been 
demonstrated by a number of groups using weak coherent 
states, both in fiber-based systems j?J and in free space 
arrangements |^J|. These experiments are provably se- 
cure against all eavesdropping attacks based on presently 
available technology; however, there are certain conceiv- 
able attacks to which they are vulnerable, as sometimes 
the pulses used necessarily contain more than one pho- 
ton - an eavesdropper could in principle use these events 
to gain information about the key without introducing 
any extra errors |ic|j . Use of true single-photon sources 
can close this potential security loophole; and while the 
loophole still exists when using pairs of photons as from 
parametric down-conversion (because occasionally there 
will be double pairs), it has been shown that they may 
allow secure transmissions over longer distances jll]] . 

While a number of groups use correlated photon pairs 
to study nonlocal correlations (via tests of Bell's inequal- 
ities [fn^-|l4|] ) , and their possible application for quantum 
cryptography [ p~5|Jl~6| , to our knowledge no results explic- 
itly using entangled photons in a quantum cryptographic 



protocol have been reported in the literature p7| [. It is 
now well established that one cannot employ these non- 
local correlations for superluminal signaling [Q. Never- 
theless, Ekert showed that one can use the correlations 
to establish a secret random key between two parties, as 
part of a completely secure cryptography protocol || . 

In our version of the Ekert protocol, "Alice" and "Bob" 
each receive one photon of a polarization-entangled pair 
in the state \cj>+) = (\HiH 2 ) + \ViV 2 ))/V2, where H {V) 
represents horizontal (vertical) polarization. They each 
respectively measure the polarization of their photons in 
the bases (\Hi) + e ia \Vi)) and (\H 2 ) + e lfl \V 2 )), where 
a and (3 randomly take on the values a\ = 45°, a 2 = 
90°, a 3 = 135°, a 4 = 180°; Pi = 0°, 2 = 45°, (3 3 = 90°, /? 4 = 
135°. They then disclose by public discussion which bases 
were used, but not the measurement results. For the state 
\c/) + ), the probabilities for a coincidence between Alice's 
detector 1 (or detector 1', which detects the orthogonally- 
polarized photons) and Bob's detector 2 (2') are given by 

Pi 2 (a,/3) =Fvv(a,0) = (1 + cos(a + /3))/4 (1) 
P 12 , (a, 0) = P n (a, 0) = (1 - cos(a + 0))/4 . 

Note that when a + (3 = 180°, they will have completely 
correlated results, which then constitute the quantum 
cryptographic key. As indicated in Table 0, the results 
from other combinations are revealed and used in two in- 
dependent tests of Bell's inequalities, to check the pres- 
ence of an intermediate eavesdropper ("Eve"). Here we 
present an experimental realization of this protocol, and 
look at the effect of various eavesdropping strategies. 

TABLE I. Distribution of data dependent on Alice's and 
Bob's respective phase settings «i and f3i (see text for details). 
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FIG. 1. Schematic of quantum cryptography system. 
351. lnm light from an Argon ion laser is used to pump two 
perpendicularly-oriented nonlinear optical crystals (BBO). 
The resultant entangled photons are sent to Alice and Bob, 
who each analyze them in one of four randomly chosen bases. 
The eavesdropper, if present, was incorporated using either a 
polarizer or a decohering birefringent plate (both orientable, 
and in some cases with additional wave plates to allow anal- 
ysis in arbitrary elliptical polarization bases [Fig. 2a,c]). 



We prepare the polarization-entangled state using the 
process of spontaneous parametric down-conversion in a 
nonlinear crystal In brief, two identically-cut ad- 

jacent crystals (beta-barium-borate, BBO) are oriented 
with their optic axes in planes perpendicular to each 
other (Fig. 1). A 45°-polarized pump photon is then 
equally likely to convert in either crystal. Given the co- 
herence and high spatial overlap (for our 0.6mm-thick 
crystals) between these two processes, the photon pairs 
are then created in the maximally- entangled state \<fi + )- 
Alice's and Bob's analysis systems each consist of a ran- 
domly driven liquid crystal [LC] (to set the applied phase 
shift), a half wave plate [HWP] (with optic axis at 22.5°), 
and a calcite Glan-Thompson prism [PBS] . Photons from 
the horizontal and vertical polarization outputs of each 
prism are detected (after narrow-band interference fil- 
ters) using silicon avalanche photodiodcs (EG&G SPCM- 
AQ's, efficiency ~ 60%, dark count < 400s" 1 ). The cor- 
related detector signals are synchronized and temporally 
discriminated through AND gates. Because of the narrow 
gate window (5 ns), the rate of accidental coincidences 
(resulting from multiple pairs or background counts) is 
only 10 s . From separate computers, Alice and Bob 
control their respective LC's with synchronously clocked 
arbitrary waveform generator cards pE) |. A coincident 
event triggers a digitizer, which records the LC states, 
and the outputs from each of the four detector pairs |20] . 

Because the total rate of coincidences between Alice's 
and Bob's detectors was typically 5000 s _1 , the proba- 
bility of having at least one pair of photons during the 
collection time window of 1 ms was 99%. Of course, 
there was then also a high probability of more than one 
pair being detected within the window (96%). Because 
the phase setting remains unchanged during a collection 
window, muliple pairs could conceivably give extra in- 
formation to a potential eavesdropper. We avoided this 



problem by keeping only the first event in any given win- 
dow. Assuming that Alice and Bob each have completely 
isolated measurement systems (i.e., there is no way for 
an eavesdropper to learn about the measurement param- 
eters a and j3 by sending in extra photons of her own), 
this system is secure even though no rapid switching is 
employed, since only ~1 photon pair event is used for 
any particular a-(3 setting [ plf . Given the 22ms cycle 
period determined by the liquid crystals the maxi- 
mum rate of data collection in our system is 45.4Hz. The 
usable rate is slightly less, because the LC voltages were 
occasionally in transition when the digitizer read them, 
yielding an ambiguous determination of the actual phase 
setting. Typically we collected 40 useful pairs per second. 

As seen in Table I, only 1/4 of the data actually con- 
tributes to the raw cryptographic key; half the data are 
used to test Bell's inequalities; and 1/4 are not used at 
all p^| . In four independent runs of ~10 minutes each, 
we obtained a total of 24252 secret key bits (see Table 
II), corresponding to a raw bit rate of 10. Is -1 ; the corre- 
sponding bit error rate (BER) was 3.06 ± 0.11% @. If 
we attribute this BER (conservatively estimated as 3.4%) 
entirely to an eavesdropper, we should assume she has 
knowledge of up to 0.7% + (4/^2) * 3.4% = 10.3% 
(^2500 bits) of the key, where the 0.7% comes from pos- 
sible double-pair events Q, and the second term as- 
sumes an intercept- resend strategy (see 0). We must 
then perform sufficient privacy amplification to reduce 
this to an acceptable level. After running an error detec- 
tion procedure on our raw key material, 17452 error-free 
bits remained. Using appropriate privacy amplification 
techniques 0, this was further compressed to 12215 use- 
ful secret bits (a net bit rate of 5.1s _1 ); the residual in- 
formation available to any potential eavesdropper is then 

2 -(17452-12215-2500) /ln2) U>j <<; 1 Ut jg. 

In contrast to nearly all tests of Bell's inequalities 
previously reported, instead of using linear polarization 
analyses (i.e., in the equatorial plane of the Poincare 
sphere), we used elliptical polarization analysis (i.e., on 
the plane containing the circularly polarized poles of the 
sphere and the ±45° linearly polarized states). In par- 
ticular, we measured the Bell parameters pEfl : 

S = -E(a 1 ,/3 1 ) + E(a u /3 3 ) + E(a 3 , ft) + E(a 3 , fa) (2) 
S' = E(a 2 , (3 2 ) + E(a 2 , fa) + E(a 4 , fa) ~ E(a 4 , fa) , 



where E(a,/3) 



R 12 (afi)+R ll2l (aj3)-R 12 ,(aJ3)-R ll2 (afi) , 
R 12 (aj3)+R 1 , 2 ,( a fi)+R 12 ,(afi)+R 1 , 2 (a/j) ' <mu 

the R's are the various coincidence counts between Al- 
ice's and Bob's detectors. For any local realistic theory 
| S |, | S' I < 2, while for the combinations of a and (3 indi- 
cated in Table 1, the quantum mechanically expected val- 
ues of |S|,|S"| are 2^/2. In a typical 10 minute run of our 
system, we observed S=-2.67±0.04 and S"=-2.65±0.04; 
for the 40 minutes of collected data, our combined val- 
ues were S=-2. 665 ± 0.019, S'=-2. 644 ± 0.019, each a 
34-ct violation of Bell's inequality. It is expected (and 
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demonstrated experimentally; see below) that the pres- 
ence of an eavesdropper will reduce the observed values 
of | S |,| 5' | . In fact, if the eavesdropper measures one pho- 
ton from every pair, then \S eve \ < \/2 [f|. Because we 
observed high values of |S|,|S"|, in our system the pres- 
ence of an eavesdropper could thus be detected in ~ls 
of data collection (the time interval for which our |S|,|S"| 
exceed y/2 by 2a). Of course one could similarly use 
the BER as a check for a potential eavesdropper, who 
introduces a minimum BER of 25% if she measures ev- 
ery photon; however, this requires sacrificing some of the 
cryptographic key to accurately determine the BER. 

In investigating the effects of the presence of an eaves- 
dropper there are two main difficulties. First, there are 
various possible strategies; and second, we always assume 
that Eve has essentially perfect equipment and proce- 
dures, which of course is experimentally impossible to 
implement. Hence, we can at best simulate the effects 
she would have; we did this for two particular inter- 
cept/resend eavesdropping strategies. In the first, we 
make a strong filtering measurement of the polarization, 
in some basis x> an d send on the surviving photons to 
Bob. The simulated eavesdropper thus makes the pro- 
jective measurement |x)(xl- The effect on the measured 
value of S and S' and the BER depend strongly on what 
eavesdropping basis |x) is used ||. Theoretical predic- 
tions and results for bases in three orthogonal planes in 
the Poincare sphere are shown in Figure 2. 

The second eavesdropping strategy examined was 
a quantum non-demolition (QND) measurement [ p6| . 
QND measurements of optical photon number and po- 
larization are presently impossible. In fact, precisely for 
this reason current quantum cryptography implementa- 
tions are secure, even though they employ weak optical 
pulses (with average photon number/pulse less than 1) 
f27f . Nevertheless, the ideal of quantum cryptography is 
that it can be made secure against any physically possi- 
ble eavesdropping strategies; hence, it is desirable to test 
any system against as many strategies as possible. 

Although appropriate QND measurements cannot be 
performed at present, it is well known that their effect 
is to produce a random phase between the eigenstates 
of the measurement, in turn due to the entanglement of 
these states with the readout quantum system. We can 
exactly simulate this effect by inserting, in Bob's path, 
a birefringent element that separates the extraordinary 

TABLE II. 100 bits of typical shared quantum key data for 
Alice (A) and Bob (B), generated using the Ekert protocol. 
Italic entries indicate errors; our average BER was 3.06%. 

A: miiooioioioiioiooiioooo loioomooiiomoioiooooo 

B: 1111100101010110100110000 1010011100100011010101000 
A: 1000100101000010100111101 1101001001010101010010111 

B: liooiooioioooomoomioi noiooiooiomoioiooiom 
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FIG. 2. Data and theory showing the effect of an eaves- 
dropper on S and BER for various attack bases (as 5*' closely 
agrees with S, it is omitted for clarity). Diamonds represent 
strong measurements, made with a polarizer; circles repre- 
sent QND attacks, simulated with a 3mm-thick BBO crystal; 
error bars are within the points. The attacks bases are: a. 
\H) +e^\V); b. cos6\H) + sm6\V); and c. |45°> + e^|-45°); 
the actual measurement points in these bases are illustrated 
on the inset Poincare spheres. The measured average values 
with no eavesdropper are indicated by unbroken grey lines, 
the broken lines represent the maximum classical value of |S|. 



and ordinary components of the photon wavepacket by 
more than the coherence length (~ 140/im, determined 
by the interference filters before the detectors); the re- 
sult is a completely random phase between these po- 
larization components, just as if a QND measurement 
had been made on them. Mathematically, the effect of 
the eavesdropper is to make a projective measurement 



IxXxl 



X ){x I j where (£) represents a random 



phase. Note that the theoretical predictions are identical 
with that for the strong polarization measurement. The 
experimental data are also shown in Fig. 2. 

We see immediately that the optimal bases for eaves- 
dropping lie in the same plane (on the Poincare sphere) 
as the bases employed by Alice and Bob - for this case, 
the probability that the eavesdropper causes an error 
is "only" 25% per intercepted bit, and the |S| value is 
\/2 (Fig. 2a). On the other hand, if the eavesdropper 
does not know the plane of the measurement bases, and 
uses, e.g., random measurements in an orthogonal plane, 
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her average probability of producing an error climbs to 
32.5%/bit, and the average value of |S| drops to l/v2- 
This suggests a strategy for improved security: Alice and 
Bob should choose bases corresponding to at least two 
(and ideally three) orthogonal planes, thereby "magnify- 
ing" the presence of an eavesdropper (at least one imple- 
menting the sort of strong projective or QND-like mea- 
surements strategies investigated here) above the usual 
25%/bit error probability. Quantitative theoretical in- 
vestigations of such a strategy, known as the "six-state" 
protocol, support these claims [p8| . 

An eavesdropper could also examine only a fraction 
of the photons, thus reducing her induced BER and in- 
creasing the S value measured by Alice and Bob, at the 
expense of her own knowledge of the cryptographic key. 
For example, if she measures (in the optimal basis) less 
than 58.6% of the photons, S > 2 and the correspond- 
ing BER < 15%, but Eve's knowledge of the key will 
be less than Bob's (and privacy amplification techniques 
will still permit generation of a secret key) ]29|,|30| . 

In summary, we have implemented the Ekert quantum 
cryptography protocol using entangled photon pairs. For 
this proof-of-principle experiment, Alice and Bob were 
situated side by side on the same optical table, obviously 
not the optimal configuration for useful cryptography. 
Nevertheless, our system demonstrates the essential fea- 
tures of the Ekert protocol, and moreover, we believe 
is the first to experimentally investigate the effect of a 
physical intermediate eavesdropper |3l) . We see no bar 
to extending the transmission distance to hundreds of 
meters || or even to earth-to-satellite distances Q. 

We gratefully acknowledge the laboratory assistance 
of S. Lopez, the error correction/privacy amplification 
programs written by E. Twyeffort, and very helpful dis- 
cussions with R. Hughes and N. Lutkenhaus. 
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